i am almost shy to tell this weakness in public, but somehow this needs to be addressed. Didyou fix the javascript vulnerability described above?
So yes, the password is encrypted. So at least they cannot find my password and use it in other places. But the encrypted password works to get access to wwwthreads, it works in place of the unencrypted password at login.
Imagine if they get the admin password via the javascript trick ..... Very bad. By the way, sessions might have an encrypted password in the url, and that password can be obtained in referrer logs of images. Make sure that the url does NOT contain the password.
But if someone obtains the session url immediately, real time, can't they choose the session url and just log into the same session???
